mbkauthe 4.8.0 → 4.8.1

package/README.md

@@ -23,7 +23,7 @@
 - Multi-session support (configurable concurrent sessions per user)
 - Optional TOTP-based 2FA with trusted devices
 - Social login (GitHub App & Google OAuth)
-- Role-based access: SuperAdmin, NormalUser, Guest
+- Role-based access: SuperAdmin, NormalUser, Guest, member
 - CSRF protection & rate limiting
 - Easy Express.js integration
 - Customizable Handlebars templates

package/docs/api.md

@@ -1474,7 +1474,7 @@ These cookies allow front-end UI to display a friendly name without making extra
 Checks if the authenticated user has the required role.
 
 **Parameters:**
-- `requiredRole` (string) - Required role: `"SuperAdmin"`, `"NormalUser"`, `"Guest"`, or `"Any"`/`"any"`
+- `requiredRole` (string) - Required role: `"SuperAdmin"`, `"NormalUser"`, `"Guest"`, `"member"`, or `"Any"`/`"any"`
 - `notAllowed` (string, optional) - Role that is explicitly not allowed
 
 **Usage:**

package/docs/db.md

@@ -12,7 +12,7 @@ The project uses a Postgres `ENUM` type for user roles:
 DO $$
 BEGIN
   IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'role') THEN
-    CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
+    CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest', 'member');
   END IF;
 END
 $$;
@@ -319,7 +319,7 @@ To add new users to the `Users` table, use the following SQL queries:
 - Replace `support` and `test` with the desired usernames.
 - For raw passwords: Replace `12345678` with the actual plain text passwords.
 - For encrypted passwords: Use the hashPassword function to generate the hash before inserting.
-- Adjust the `Role` values as needed (`SuperAdmin`, `NormalUser`, or `Guest`).
+- Adjust the `Role` values as needed (`SuperAdmin`, `NormalUser`, `Guest`, or `member`).
 - Modify the `Active` and `HaveMailAccount` values as required.
 
 **Generating Encrypted Passwords:**

package/docs/db.sql

@@ -2,7 +2,7 @@
 DO $$
 BEGIN
   IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'role') THEN
-    CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest');
+    CREATE TYPE role AS ENUM ('SuperAdmin', 'NormalUser', 'Guest', 'member');
   END IF;
 END
 $$;
@@ -94,6 +94,24 @@ CREATE TABLE IF NOT EXISTS "Sessions" (
 CREATE INDEX IF NOT EXISTS idx_sessions_username ON "Sessions" ("UserName");
 CREATE INDEX IF NOT EXISTS idx_sessions_user_created ON "Sessions" ("UserName", created_at);
 
+-- Support expiry-based cleanup and validity checks
+CREATE INDEX IF NOT EXISTS idx_sessions_username_expires
+ON "Sessions" ("UserName", expires_at);
+
+CREATE INDEX IF NOT EXISTS idx_sessions_expires
+ON "Sessions" (expires_at)
+WHERE expires_at IS NOT NULL;
+
+-- Optional (Postgres 11+): covering indexes for hot-path lookups (validateSession)
+-- These can enable index-only scans for the exact columns used in auth middleware.
+CREATE INDEX IF NOT EXISTS idx_sessions_id_cover
+ON "Sessions" (id)
+INCLUDE ("UserName", expires_at);
+
+CREATE INDEX IF NOT EXISTS idx_users_username_cover
+ON "Users" ("UserName")
+INCLUDE ("Active", "Role");
+
 
 CREATE TABLE IF NOT EXISTS "session" (
     sid VARCHAR(33) PRIMARY KEY NOT NULL,

package/index.d.ts

@@ -242,6 +242,9 @@ declare module 'mbkauthe' {
     notAllowed?: UserRole
   ): AuthMiddleware;
 
+  export const sessVal: AuthMiddleware;
+  export const sessRole: AuthMiddleware;
+
   export const strictValidateSession: AuthMiddleware;
 
   export function strictValidateSessionAndRole(

package/index.js

@@ -1,6 +1,5 @@
 import express from "express";
-import router from "./lib/main.js";
-import { checkVersion } from "./lib/main.js";
+import router, { checkVersion } from "./lib/main.js";
 import { engine } from "express-handlebars";
 import path from "path";
 import { fileURLToPath } from "url";
@@ -9,129 +8,95 @@ import { packageJson } from "#config.js";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
+const isDevMode = process.env.test === "dev";
+const DEV_PORT = 5555;
+const viewsPath = path.join(__dirname, "views");
+const packageVersion = packageJson.version;
 
 const app = express();
 
 app.set("views", [
-    path.join(__dirname, "views"),
+    viewsPath,
     path.join(__dirname, "node_modules/mbkauthe/views")
 ]);
 
+const handlebarsHelpers = {
+    eq: (a, b) => a === b,
+    encodeURIComponent: (str) => encodeURIComponent(str),
+    formatTimestamp: (timestamp) => new Date(timestamp).toLocaleString(),
+    jsonStringify: (context) => JSON.stringify(context),
+    json: (obj) => JSON.stringify(obj, null, 2),
+    objectEntries: (obj) => {
+        if (!obj || typeof obj !== 'object') return [];
+        return Object.entries(obj).map(([key, value]) => ({ key, value }));
+    },
+    cacheBuster: () => `?v=${packageVersion}`
+};
+
 app.engine("handlebars", engine({
     defaultLayout: false,
     cache: true,
     partialsDir: [
-        path.join(__dirname, "views"),
+        viewsPath,
         path.join(__dirname, "node_modules/mbkauthe/views"),
         path.join(__dirname, "node_modules/mbkauthe/views/Error"),
     ],
-    helpers: {
-        eq: function (a, b) {
-            return a === b;
-        },
-        encodeURIComponent: function (str) {
-            return encodeURIComponent(str);
-        },
-        formatTimestamp: function (timestamp) {
-            return new Date(timestamp).toLocaleString();
-        },
-        jsonStringify: function (context) {
-            return JSON.stringify(context);
-        },
-        json: (obj) => JSON.stringify(obj, null, 2),
-        objectEntries: function (obj) {
-            if (!obj || typeof obj !== 'object') {
-                return []; // Return an empty array if obj is undefined, null, or not an object
-            }
-            return Object.entries(obj).map(([key, value]) => ({ key, value }));
-        },
-        cacheBuster: function () {
-            return "?v=" + packageJson.version;
-        }
-    }
-
+    helpers: handlebarsHelpers
 }));
 
 app.set("view engine", "handlebars");
-
 app.use(router);
 
-if (process.env.test === "dev") {
+const renderDevError = (res, req, code, error, message, page, details) => renderError(res, req, {
+    layout: false,
+    code,
+    error,
+    message,
+    details,
+    pagename: "Home",
+    page,
+});
+
+if (isDevMode) {
     console.log("[mbkauthe] Dev mode is enabled. Starting server in dev mode.");
-    const port = 5555;
-    app.get(["/dashboard", "/home", "/"], (req, res) => {
-            return res.redirect("/mbkauthe/");
-    });
-    app.get("/dev/2fa", (req, res) => {
-            return renderPage(req, res, "pages/2fa.handlebars", {
-                layout: false,
-                pagename: "Two-Factor Authentication",
-                page: "/home"
-            });
-    });
-    app.get("/showmessage", (req, res) => {
-        //uncomment line 26 on showmessage.handlebars for testing, after testing comment it back
-        return renderPage(req, res, "showmessage", false);
-    });
-    app.get("/500", (req, res) => {
-        return renderError(res, req, {
-            layout: false,
-            code: 500,
-            error: "Internal Server Error",
-            message: "Simulated 500 Error",
-            details: "This is a simulated 500 error page for testing purposes.",
-            pagename: "Home",
-            page: "/mbkauthe/login",
-        });
-    });
+
+    app.get(["/dashboard", "/home", "/"], (req, res) => res.redirect("/mbkauthe/"));
+
+    app.get("/dev/2fa", (req, res) => renderPage(req, res, "pages/2fa.handlebars", false, {
+        pagename: "Two-Factor Authentication",
+        page: "/home"
+    }));
+
+    app.get("/showmessage", (req, res) => renderPage(req, res, "showmessage", false));
+
+    app.get("/500", (req, res) => renderDevError(res, req, 500,
+        "Internal Server Error", "Simulated 500 Error",
+        "/mbkauthe/login", "This is a simulated 500 error page for testing purposes."
+    ));
+
     app.use((req, res) => {
         console.log(`[mbkauthe] Path not found: ${req.method} ${req.url}`);
-        return renderError(res, req, {
-            layout: false,
-            code: 404,
-            error: "Not Found",
-            message: "The requested page was not found.",
-            pagename: "Home",
-            page: "/mbkauthe/login",
-        });
+        renderDevError(res, req, 404, "Not Found", "The requested page was not found.", "/mbkauthe/login");
     });
-    app.listen(port, () => {
-        console.log(`[mbkauthe] Server running on http://localhost:${port}`);
+
+    app.listen(DEV_PORT, () => {
+        console.log(`[mbkauthe] Server running on http://localhost:${DEV_PORT}`);
     });
 }
 
-if (process.env.test !== "dev") {
+if (!isDevMode) {
     await checkVersion();
 }
 
-export {
-    validateSession, validateApiSession, checkRolePermission,
-    validateSessionAndRole, authenticate, reloadSessionUser,
-    strictValidateSession, strictValidateSessionAndRole
-} from "./lib/middleware/auth.js";
-export {
-    sessionConfig,
-    corsMiddleware,
-    sessionRestorationMiddleware,
-    sessionCookieSyncMiddleware,
-    requestContextMiddleware
-} from "./lib/middleware/index.js";
+export * from "./lib/middleware/auth.js";
+export * from "./lib/middleware/index.js";
 export { validateTokenScope } from "./lib/middleware/scopeValidator.js";
-export { renderError, getUserContext, renderPage, proxycall } from "#response.js";
+export * from "#response.js";
 export { dblogin } from "#pool.js";
 export { getLatestVersion } from "./lib/routes/misc.js";
-export { checkTrustedDevice, completeLoginProcess } from "./lib/routes/auth.js";
-export {
-    ErrorCodes, ErrorMessages, getErrorByCode,
-    createErrorResponse, logError
-} from "./lib/utils/errors.js";
-export {
-    encryptSessionId, decryptSessionId, cachedCookieOptions, cachedClearCookieOptions,
-    DEVICE_TRUST_DURATION_DAYS, DEVICE_TRUST_DURATION_MS,
-    generateDeviceToken, hashDeviceToken, getDeviceTokenCookieOptions,
-    getCookieOptions, getClearCookieOptions, clearSessionCookies,
-    readAccountListFromCookie, upsertAccountListCookie, removeAccountFromCookie, clearAccountListCookie
-} from "./lib/config/cookies.js";
-export { hashPassword, hashApiToken } from "./lib/config/security.js";
+export * from "./lib/routes/auth.js";
+export * from "./lib/utils/errors.js";
+export * from "./lib/config/cookies.js";
+export * from "./lib/config/security.js";
 export { mbkautheVar } from "#config.js";
 export default app;

package/lib/middleware/auth.js

@@ -6,6 +6,18 @@ import { ErrorCodes, createErrorResponse } from "../utils/errors.js";
 import { hashApiToken } from "#config.js";
 import { canAccessMethod } from "#config.js";
 
+const IS_DEV = process.env.env === 'dev' || process.env.test === 'dev' || process.env.NODE_ENV === 'development';
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const isUuid = (val) => typeof val === 'string' && UUID_RE.test(val);
+
+const SQL_VALIDATE_APP_SESSION = `
+  SELECT s.expires_at, u."Active", u."Role"
+  FROM "Sessions" s
+  JOIN "Users" u ON s."UserName" = u."UserName"
+  WHERE s.id = $1
+  LIMIT 1
+`;
+
 /**
  * Decide if the incoming request should return JSON errors instead of HTML.
  * Non-browser clients (API calls / AJAX) should get JSON.
@@ -184,8 +196,10 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
 
   // --- Fallback to Cookie Session ---
   if (!req.session.user) {
-    console.log("[mbkauthe] User not authenticated");
-    console.log("[mbkauthe]: ", req.session.user);
+    if (IS_DEV) {
+      console.log("[mbkauthe] User not authenticated");
+      console.log("[mbkauthe]: ", req.session.user);
+    }
     if (isJsonRequest(req)) {
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_NOT_FOUND));
     }
@@ -199,10 +213,10 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
   }
 
   try {
-    const { id, sessionId, role, allowedApps } = req.session.user;
+    const { sessionId, role, allowedApps } = req.session.user;
 
     // Defensive checks for sessionId and allowedApps
-    if (!sessionId) {
+    if (!sessionId || !isUuid(sessionId)) {
       console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
@@ -218,15 +232,8 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
       });
     }
 
-    // Normalize sessionId (DB id) for consistent comparison
-    const normalizedSessionId = sessionId;
-
     // Validate session by DB primary key id and join to user
-    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
-                   FROM "Sessions" s
-                   JOIN "Users" u ON s."UserName" = u."UserName"
-                   WHERE s.id = $1 LIMIT 1`;
-    const result = await dblogin.query({ name: 'validate-app-session', text: query, values: [normalizedSessionId] });
+    const result = await dblogin.query({ name: 'validate-app-session', text: SQL_VALIDATE_APP_SESSION, values: [sessionId] });
 
     if (result.rows.length === 0) {
       console.log(`[mbkauthe] Session not found for user "${req.session.user.username}"`);
@@ -247,7 +254,11 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
     const sessionRow = result.rows[0];
 
     // Check expired
-    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+    if (sessionRow.expires_at) {
+      const expiresMs = sessionRow.expires_at instanceof Date
+        ? sessionRow.expires_at.getTime()
+        : Date.parse(sessionRow.expires_at);
+      if (!Number.isNaN(expiresMs) && expiresMs <= Date.now()) {
       console.log(`[mbkauthe] Session invalidated (expired) for user "${req.session.user.username}"`);
       // destroy and clear cookies
       req.session.destroy();
@@ -263,6 +274,7 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
         page: `/mbkauthe/login?redirect=${encodeURIComponent(req.originalUrl)}`,
       });
     }
+    }
 
 
     if (!sessionRow.Active) {
@@ -302,7 +314,7 @@ async function validateSession(req, res, next, strictTokenValidation = false) {
     }
 
     // Store user role in request for checkRolePermission to use
-    req.userRole = result.rows[0].Role;
+    req.userRole = sessionRow.Role;
 
     next();
   } catch (err) {
@@ -321,25 +333,18 @@ async function validateApiSession(req, res, next) {
   }
 
   try {
-    const { id, sessionId, role, allowedApps } = req.session.user;
+    const { sessionId, role, allowedApps } = req.session.user;
 
     // Defensive checks for sessionId and allowedApps
-    if (!sessionId) {
+    if (!sessionId || !isUuid(sessionId)) {
       console.warn(`[mbkauthe] Missing sessionId for user "${req.session.user.username}"`);
       req.session.destroy();
       clearSessionCookies(res);
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
     }
 
-    // Normalize sessionId (DB id) for consistent comparison
-    const normalizedSessionId = sessionId;
-
     // Validate session by DB primary key id and join to user
-    const query = `SELECT s.id as sid, s.expires_at, u."Active", u."Role"
-                   FROM "Sessions" s
-                   JOIN "Users" u ON s."UserName" = u."UserName"
-                   WHERE s.id = $1 LIMIT 1`;
-    const result = await dblogin.query({ name: 'validate-app-session-for-api', text: query, values: [normalizedSessionId] });
+    const result = await dblogin.query({ name: 'validate-app-session-for-api', text: SQL_VALIDATE_APP_SESSION, values: [sessionId] });
 
     if (result.rows.length === 0) {
       req.session.destroy();
@@ -350,11 +355,16 @@ async function validateApiSession(req, res, next) {
     const sessionRow = result.rows[0];
 
     // Check expired
-    if (sessionRow.expires_at && new Date(sessionRow.expires_at) <= new Date()) {
+    if (sessionRow.expires_at) {
+      const expiresMs = sessionRow.expires_at instanceof Date
+        ? sessionRow.expires_at.getTime()
+        : Date.parse(sessionRow.expires_at);
+      if (!Number.isNaN(expiresMs) && expiresMs <= Date.now()) {
       req.session.destroy();
       clearSessionCookies(res);
       return res.status(401).json(createErrorResponse(401, ErrorCodes.SESSION_EXPIRED));
     }
+    }
 
 
     if (!result.rows[0].Active) {
@@ -376,7 +386,7 @@ async function validateApiSession(req, res, next) {
     }
 
     // Store user role in request for checkRolePermission to use
-    req.userRole = result.rows[0].Role;
+    req.userRole = sessionRow.Role;
 
     next();
   } catch (err) {
@@ -500,6 +510,11 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
         });
       }
 
+      // SuperAdmin bypasses all role checks
+      if(req.session.role === "SuperAdmin") {
+        return next();
+      }
+
       // Use role from validateSession to avoid additional DB query
       const userRole = req.userRole;
 
@@ -521,7 +536,7 @@ const checkRolePermission = (requiredRoles, notAllowed) => {
       const rolesArray = Array.isArray(requiredRoles) ? requiredRoles : [requiredRoles];
 
       // Check for "Any" or "any" role
-      if (rolesArray.includes("Any") || rolesArray.includes("any")) {
+      if (rolesArray.includes("Any") || rolesArray.includes("any") || rolesArray.includes("*")) {
         return next();
       }
 
@@ -555,7 +570,6 @@ const validateSessionAndRole = (requiredRole, notAllowed, strictTokenValidation
   };
 };
 
-
 const authenticate = (authentication) => {
   return (req, res, next) => {
     const token = req.headers["authorization"];
@@ -573,8 +587,13 @@ const authenticate = (authentication) => {
 const strictValidateSession = (req, res, next) => validateSession(req, res, next, true);
 const strictValidateSessionAndRole = (requiredRole, notAllowed) => validateSessionAndRole(requiredRole, notAllowed, true);
 
+// Short aliases for convenience
+const sessVal = validateSession;
+const sessRole = validateSessionAndRole;
+
 export {
   validateSession, validateApiSession, checkRolePermission,
   validateSessionAndRole, authenticate, reloadSessionUser,
-  strictValidateSession, strictValidateSessionAndRole
+  strictValidateSession, strictValidateSessionAndRole,
+  sessVal, sessRole
 }

package/lib/pool.js

@@ -34,6 +34,7 @@ attachDevQueryLogger(dblogin);
   try {
     const client = await dblogin.connect();
     client.release();
+    console.log("[mbkauthe] Database connection pool established successfully.");
   } catch (err) {
     console.error("[mbkauthe] Database connection error (pool):", err);
   }

package/lib/routes/auth.js

@@ -110,11 +110,17 @@ export async function checkTrustedDevice(req, username) {
   try {
     // Hash the provided device token before querying DB (we store token hashes in DB)
     const deviceTokenHash = hashDeviceToken(deviceToken);
+    // Single round-trip: validate trusted device AND refresh LastUsed.
     const deviceQuery = `
-      SELECT td."UserName", td."LastUsed", td."ExpiresAt", u."id", u."Active", u."Role", u."AllowedApps"
-      FROM "TrustedDevices" td
-      JOIN "Users" u ON td."UserName" = u."UserName"
-      WHERE td."DeviceToken" = $1 AND td."UserName" = $2 AND td."ExpiresAt" > NOW()
+      UPDATE "TrustedDevices" td
+      SET "LastUsed" = NOW()
+      FROM "Users" u
+      WHERE td."DeviceToken" = $1
+        AND td."UserName" = $2
+        AND td."ExpiresAt" > NOW()
+        AND u."UserName" = td."UserName"
+        AND u."Active" = TRUE
+      RETURNING td."UserName", td."ExpiresAt", u."id" as id, u."Active", u."Role", u."AllowedApps"
     `;
     const deviceResult = await dblogin.query({
       name: 'check-trusted-device',
@@ -138,13 +144,6 @@ export async function checkTrustedDevice(req, username) {
         }
       }
 
-      // Update last used timestamp
-      await dblogin.query({
-        name: 'update-device-last-used',
-        text: 'UPDATE "TrustedDevices" SET "LastUsed" = NOW() WHERE "DeviceToken" = $1',
-        values: [deviceTokenHash]
-      });
-
       console.log(`[mbkauthe] Trusted device validated for user: ${username}`);
       return {
         id: deviceUser.id,
@@ -193,21 +192,24 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     const configuredMax = parseInt(mbkautheVar.MAX_SESSIONS_PER_USER, 10);
     const MAX_SESSIONS = Number.isInteger(configuredMax) && configuredMax > 0 ? configuredMax : 5;
 
-    // Clean up expired sessions first to prevent accumulation
-    await dblogin.query({
-      name: 'cleanup-expired-sessions',
-      text: `DELETE FROM "Sessions" WHERE "UserName" = $1 AND expires_at IS NOT NULL AND expires_at <= NOW()`,
-      values: [username]
-    });
-
-    // Count active sessions for this user (by username)
+    // Clean up expired sessions + count active sessions in a single round-trip.
     const countRes = await dblogin.query({
-      name: 'count-user-sessions',
-      text: `SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC`,
+      name: 'cleanup-and-count-user-sessions',
+      text: `
+        WITH deleted AS (
+          DELETE FROM "Sessions"
+          WHERE "UserName" = $1
+            AND expires_at IS NOT NULL
+            AND expires_at <= NOW()
+        )
+        SELECT COUNT(*)::int AS count
+        FROM "Sessions"
+        WHERE "UserName" = $1
+      `,
       values: [username]
     });
 
-    const currentSessions = countRes.rows.length;
+    const currentSessions = Number(countRes.rows?.[0]?.count ?? 0);
     // If we have MAX_SESSIONS or more, delete oldest to make room for exactly 1 new session
     if (currentSessions >= MAX_SESSIONS) {
       const sessionsToDelete = currentSessions - MAX_SESSIONS + 1; // +1 to make room for new session
@@ -215,15 +217,15 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
 
       await dblogin.query({
         name: 'prune-oldest-user-session',
-        text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 AND (expires_at IS NULL OR expires_at > NOW()) ORDER BY created_at ASC LIMIT $2)`,
+        // Expired sessions were already removed above; remaining rows are active.
+        text: `DELETE FROM "Sessions" WHERE id IN (SELECT id FROM "Sessions" WHERE "UserName" = $1 ORDER BY created_at ASC LIMIT $2)`,
         values: [username, sessionsToDelete]
       });
     }
 
     const expiresAt = new Date(Date.now() + (cachedCookieOptions.maxAge || 0));
 
-    // Insert new session record for the user (generate id explicitly to avoid relying on DB default)
-    const newSessionId = crypto.randomUUID();
+    // Insert new session record for the user.
     let dbSessionId;
     try {
       const insertRes = await dblogin.query({
@@ -237,12 +239,18 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
       throw insertErr;
     }
 
-    // Update last_login timestamp for the user
-    await dblogin.query({
-      name: 'login-update-last-login',
-      text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1`,
-      values: [user.id]
-    });
+    // Update last_login and fetch FullName/Image in a single query.
+    let profileRow = null;
+    try {
+      const profUpdateRes = await dblogin.query({
+        name: 'login-update-last-login-return-profile',
+        text: `UPDATE "Users" SET "last_login" = NOW() WHERE "id" = $1 RETURNING "FullName", "Image"`,
+        values: [user.id]
+      });
+      profileRow = profUpdateRes.rows?.[0] || null;
+    } catch (profileUpdateErr) {
+      console.error('[mbkauthe] Error updating last_login/returning profile:', profileUpdateErr);
+    }
 
     req.session.user = {
       id: user.id,
@@ -255,20 +263,26 @@ export async function completeLoginProcess(req, res, user, redirectUrl = null, t
     // Clear profile picture cache to fetch fresh data
     clearProfilePicCache(req, username);
 
-    // Attempt to fetch FullName and Image from Users and store it in session for display purposes
+    // Store FullName/Image in session and cache cookie values.
     let loginProfileImage = null;
-    try {
-      const profileResult = await dblogin.query({
-        name: 'login-get-fullname-and-image',
-        text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
-        values: [username]
-      });
-      if (profileResult.rows.length > 0) {
-        if (profileResult.rows[0].FullName) req.session.user.fullname = profileResult.rows[0].FullName;
-        if (profileResult.rows[0].Image && profileResult.rows[0].Image.trim() !== '') loginProfileImage = profileResult.rows[0].Image;
+    if (profileRow) {
+      if (profileRow.FullName) req.session.user.fullname = profileRow.FullName;
+      if (typeof profileRow.Image === 'string' && profileRow.Image.trim() !== '') loginProfileImage = profileRow.Image;
+    } else {
+      // Fallback: try a read query if UPDATE...RETURNING failed unexpectedly.
+      try {
+        const profileResult = await dblogin.query({
+          name: 'login-get-fullname-and-image',
+          text: 'SELECT "FullName", "Image" FROM "Users" WHERE "UserName" = $1 LIMIT 1',
+          values: [username]
+        });
+        if (profileResult.rows.length > 0) {
+          if (profileResult.rows[0].FullName) req.session.user.fullname = profileResult.rows[0].FullName;
+          if (profileResult.rows[0].Image && profileResult.rows[0].Image.trim() !== '') loginProfileImage = profileResult.rows[0].Image;
+        }
+      } catch (profileErr) {
+        console.error("[mbkauthe] Error fetching FullName/Image for user:", profileErr);
       }
-    } catch (profileErr) {
-      console.error("[mbkauthe] Error fetching FullName/Image for user:", profileErr);
     }
 
     if (req.session.preAuthUser) {

package/lib/routes/misc.js

@@ -228,7 +228,24 @@ router.get('/api/checkSession', LoginLimit, async (req, res) => {
       return res.status(200).json({ sessionValid: false, expiry: null });
     }
 
-    const result = await dblogin.query({ name: 'check-session-validity', text: `SELECT s.expires_at, u."Active" FROM "Sessions" s JOIN "Users" u ON s."UserName" = u."UserName" WHERE s.id = $1 LIMIT 1`, values: [sessionId] });
+    // Single round-trip: fetch app-session expiry and (if needed) connect-pg-simple expiry.
+    const result = await dblogin.query({
+      name: 'check-session-validity',
+      text: `
+        SELECT
+          s.expires_at,
+          u."Active",
+          CASE
+            WHEN s.expires_at IS NULL THEN (SELECT expire FROM "session" WHERE sid = $2)
+            ELSE NULL
+          END AS connect_expire
+        FROM "Sessions" s
+        JOIN "Users" u ON s."UserName" = u."UserName"
+        WHERE s.id = $1
+        LIMIT 1
+      `,
+      values: [sessionId, req.sessionID]
+    });
 
     if (result.rows.length === 0) {
       req.session.destroy(() => { });
@@ -243,12 +260,9 @@ router.get('/api/checkSession', LoginLimit, async (req, res) => {
       return res.status(200).json({ sessionValid: false, expiry: null });
     }
 
-    // Determine expiry: prefer application session expiry if present else fallback to connect-pg-simple expire
-    let expiry = row.expires_at ? new Date(row.expires_at).toISOString() : null;
-    if (!expiry) {
-      const sessResult = await dblogin.query({ name: 'get-session-expiry', text: 'SELECT expire FROM "session" WHERE sid = $1', values: [req.sessionID] });
-      expiry = sessResult.rows.length > 0 && sessResult.rows[0].expire ? new Date(sessResult.rows[0].expire).toISOString() : null;
-    }
+    // Determine expiry: prefer application session expiry if present else fallback to connect-pg-simple expiry.
+    const expirySource = row.expires_at || row.connect_expire || null;
+    const expiry = expirySource ? new Date(expirySource).toISOString() : null;
 
     return res.status(200).json({ sessionValid: true, expiry });
   } catch (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mbkauthe",
-  "version": "4.8.0",
+  "version": "4.8.1",
   "description": "MBKTech's reusable authentication system for Node.js applications.",
   "main": "index.js",
   "type": "module",